1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.FREEBSD.ANN

  • FreeBSD Errata Notice FreeBSD-EN-25:02.audit

    From FreeBSD Errata Notices@21:1/5 to All on Wed Jan 29 22:00:08 2025
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    ============================================================================= FreeBSD-EN-25:02.audit Errata Notice
    The FreeBSD Project

    Topic: System call auditing disabled by DTrace

    Category: core
    Module: audit
    Announced: 2025-01-29
    Credits: Joe Duin
    Affects: All supported versions of FreeBSD.
    Corrected: 2025-01-17 13:40:36 UTC (stable/14, 14.2-STABLE)
    2025-01-29 18:54:51 UTC (releng/14.2, 14.2-RELEASE-p1)
    2025-01-29 18:55:18 UTC (releng/14.1, 14.1-RELEASE-p7)
    2025-01-17 13:40:56 UTC (stable/13, 13.4-STABLE)
    2025-01-29 18:55:24 UTC (releng/13.4, 13.4-RELEASE-p3)

    For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security
    branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

    I. Background

    The audit(4) facility allows a system administrator to audit
    security-relevant events. System calls are one such security-related
    event, and the audit(4) facility will record whether the system call was successful along with other important details.

    II. Problem Description

    When userspace invokes a system call, the kernel routes the call through
    a common function which optionally logs an audit record for the call.
    This function also calls into DTrace to implement system call tracing.
    When both system call auditing and DTrace system call tracing are
    enabled at the same time, a logic error causes auditing to be silently disabled.

    III. Impact

    A privileged user can inhibit system call audit logging by running a
    DTrace script which uses the "syscall" provider. Once the DTrace script
    exits, system call auditing will resume without any intervention.

    IV. Workaround

    No workaround is available.

    V. Solution

    Upgrade your system to a supported FreeBSD stable or release / security
    branch (releng) dated after the correction date and reboot.

    Perform one of the following:

    1) To update your system via a binary patch:

    Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility:

    # freebsd-update fetch
    # freebsd-update install
    # shutdown -r +10min "Rebooting for a security update"

    2) To update your system via a source code patch:

    The following patches have been verified to apply to the applicable
    FreeBSD release branches.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    # fetch https://security.FreeBSD.org/patches/EN-25:02/audit.patch
    # fetch https://security.FreeBSD.org/patches/EN-25:02/audit.patch.asc
    # gpg --verify audit.patch.asc

    b) Apply the patch. Execute the following commands as root:

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
    system.

    VI. Correction details

    This issue is corrected as of the corresponding Git commit hash in the following stable and release branches:

    Branch/path Hash Revision
    - ------------------------------------------------------------------------- stable/14/ 4b9ba274d736 stable/14-n270139 releng/14.2/ 71bf983f92ba releng/14.2-n269508 releng/14.1/ 1574c53178e9 releng/14.1-n267729 stable/13/ 1bf531bcd791 stable/13-n259015 releng/13.4/ f7b9cd733c39 releng/13.4-n258269
    - -------------------------------------------------------------------------

    Run the following command to see which files were modified by a
    particular commit:

    # git show --stat <commit hash>

    Or visit the following URL, replacing NNNNNN with the hash:

    <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

    To determine the commit count in a working tree (for comparison against
    nNNNNNN in the table above), run:

    # git rev-list --count --first-parent HEAD

    VII. References

    The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-25:02.audit.asc> -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmeajKMACgkQbljekB8A Gu/wIxAA38DHdcS7lmwRT/rYyuUICRW7v51RU/FMzbxJ/F0Aovh+mhKUjI3IU6Ym HEfJpu0o0bRN+tf2cCz4JEO881NhipNsmZlZ62W1Rz3bIG0MmcCQ+9bYMlLcCKrB V1GR/kve5ENZRi9R4eQ+zzrIMXnrL18QOY1BMxnuqT/QmA18LPx0XPGhecKj4L0+ brD7xvg8cGd6QYKz56PVKqgPSJtN6gl9qgiIb2jtTNoz9lyXf/88N4nvFTGB86Mj wVQy9J/fdiHU6154xQq8HaIEk2q0kQsOM7fuEwms1yCgOKiOyYOL2Ohn1KDRD1Vh ECWLldc2l67ioLY2o3I15O4gSPa+/NcEgtGxrgCcUbp6cWHAMYbDw8/Oth7eIdjB tuv0Hu27ADJH9RawmrgziD9BzQzSK1qzzBLvic20pvU3tqlSTDWyrTfLYkkFoqjg 8tL3PULNtHgcoP1VwfhQjVZAB5XzCDvuxTOOG6po6Hp02zdLmuQzQ7M+p/Fz1Cf1 rftSNXfXS5vXnX18j51/I6KZaqRg039RVotVy7Pjy/+FWD5y8UGqp5QqPBlOvjve 62R+FKVVr/Ki17kuQMayCc2hoWS4nKirQK1Kb2AoKIur5HoIM7urUnIIanzLvmIT tSJxvh1msNsOf2Q+1Yo6IP27Q9yjDTPZA+jFTzSL9lGiJAXoiVQ=
    =DEwx
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)